fix(interpreter): reject negative persistent file descriptors#1802
Merged
Conversation
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
bashkit | 5280632 | Commit Preview URL | May 28 2026, 09:15 AM |
chaliy
force-pushed
the
2026-05-28-fix-negative-fd-variable-vulnerability
branch
from
3009a6c to
5280632
Compare
chaliy
added a commit
that referenced
this pull request
May 28, 2026
## Release v0.8.0
Minor release. New feature: VFS-backed Python `open()` support.
### Highlights
- **Python `open()` support** — VFS-backed `open()` / `Path.open()`
read, write, and append now work in the embedded Python builtin, so
LLM-generated `with open("/tmp/...")` scripts run instead of failing.
Host filesystem and network stay unavailable to Python
([#1800](#1800)).
- Further `rg` parity and hardening fixes (default type globs, JSON
context fanout cap, root-arg allocation) plus interpreter fixes for
variable attribute/nameref persistence and persistent file descriptor
validation.
### What's Changed
* ci: reclaim runner disk before disk-hungry scheduled jobs
([#1807](#1807)) by @chaliy
* fix(rg): align r and tf default type globs with ripgrep
([#1805](#1805)) by @chaliy
* fix(rg): cap JSON context event fanout
([#1804](#1804)) by @chaliy
* fix(interpreter): persist var attrs and namerefs across shell state
restore ([#1803](#1803)) by
@chaliy
* fix(interpreter): reject negative persistent file descriptors
([#1802](#1802)) by @chaliy
* fix(rg): avoid root arg string cloning across candidates
([#1801](#1801)) by @chaliy
* feat(python): support vfs-backed open
([#1800](#1800)) by @chaliy
* feat(site): add bashkit logo assets
([#1799](#1799)) by @chaliy
* fix(ci): bypass pnpm `--` separator that breaks napi build flag
forwarding ([#1798](#1798)) by
@chaliy
* fix(site): add homepage canonical link header
([#1797](#1797)) by @chaliy
**Full Changelog**:
v0.7.2...v0.8.0
### Version bump
`0.7.2` → `0.8.0` across `Cargo.toml`, `crates/bashkit-cli/Cargo.toml`,
`crates/bashkit-js/package.json`, and `Cargo.lock`.
### Publish-readiness report
- ✅ `cargo fmt --check` — clean
- ✅ `cargo clippy --workspace --all-targets --features
http_client,ssh,sqlite -- -D warnings` — clean
- ✅ `cargo test --workspace --lib --bins --tests --features
http_client,ssh,sqlite` — green (with pinned ripgrep 15.1.0, matching
CI's `RG_VERSION`)
- ✅ `cargo test --features python -p bashkit` — green
- ✅ `cargo publish --dry-run -p bashkit` — succeeds after replicating
the workflow's monty/python strip step (git-only `monty` dep is stripped
before publish, as in `publish.yml`)
- ✅ `bashkit-cli` packages cleanly; its dry-run's only remaining step is
resolving `bashkit ^0.8.0` from crates.io, which the workflow satisfies
by publishing `bashkit` first (30s index wait) then `bashkit-cli`
- ✅ Version sync: all manifests read `0.8.0`; crates.io latest is
`0.7.2`, so `0.8.0` is a strict increment on every registry (npm/PyPI
versions are derived from the same pipeline)
Notes: in this sandbox the `rg` differential case and
`ssh_supabase_connects` test initially failed only because of
environment (preinstalled ripgrep 14.1.0 vs CI's pinned 15.1.0, and no
egress to the external `supabase.sh` SSH host); both are environmental,
not code regressions.
---
_Generated by [Claude
Code](https://claude.ai/code/session_01URKhGRWFuMgjHQR1YhyNHN)_
chaliy
added a commit
that referenced
this pull request
May 30, 2026
Reject negative fd values in ensure_persistent_fd_capacity and narrow the standard-fd exemption from `fd <= 2` to `0..=2` so attacker-supplied negative fd vars cannot bypass max_file_descriptors. Adds TM-DOS-063 regression tests.
chaliy
added a commit
that referenced
this pull request
May 30, 2026
## Release v0.8.0
Minor release. New feature: VFS-backed Python `open()` support.
### Highlights
- **Python `open()` support** — VFS-backed `open()` / `Path.open()`
read, write, and append now work in the embedded Python builtin, so
LLM-generated `with open("/tmp/...")` scripts run instead of failing.
Host filesystem and network stay unavailable to Python
([#1800](#1800)).
- Further `rg` parity and hardening fixes (default type globs, JSON
context fanout cap, root-arg allocation) plus interpreter fixes for
variable attribute/nameref persistence and persistent file descriptor
validation.
### What's Changed
* ci: reclaim runner disk before disk-hungry scheduled jobs
([#1807](#1807)) by @chaliy
* fix(rg): align r and tf default type globs with ripgrep
([#1805](#1805)) by @chaliy
* fix(rg): cap JSON context event fanout
([#1804](#1804)) by @chaliy
* fix(interpreter): persist var attrs and namerefs across shell state
restore ([#1803](#1803)) by
@chaliy
* fix(interpreter): reject negative persistent file descriptors
([#1802](#1802)) by @chaliy
* fix(rg): avoid root arg string cloning across candidates
([#1801](#1801)) by @chaliy
* feat(python): support vfs-backed open
([#1800](#1800)) by @chaliy
* feat(site): add bashkit logo assets
([#1799](#1799)) by @chaliy
* fix(ci): bypass pnpm `--` separator that breaks napi build flag
forwarding ([#1798](#1798)) by
@chaliy
* fix(site): add homepage canonical link header
([#1797](#1797)) by @chaliy
**Full Changelog**:
v0.7.2...v0.8.0
### Version bump
`0.7.2` → `0.8.0` across `Cargo.toml`, `crates/bashkit-cli/Cargo.toml`,
`crates/bashkit-js/package.json`, and `Cargo.lock`.
### Publish-readiness report
- ✅ `cargo fmt --check` — clean
- ✅ `cargo clippy --workspace --all-targets --features
http_client,ssh,sqlite -- -D warnings` — clean
- ✅ `cargo test --workspace --lib --bins --tests --features
http_client,ssh,sqlite` — green (with pinned ripgrep 15.1.0, matching
CI's `RG_VERSION`)
- ✅ `cargo test --features python -p bashkit` — green
- ✅ `cargo publish --dry-run -p bashkit` — succeeds after replicating
the workflow's monty/python strip step (git-only `monty` dep is stripped
before publish, as in `publish.yml`)
- ✅ `bashkit-cli` packages cleanly; its dry-run's only remaining step is
resolving `bashkit ^0.8.0` from crates.io, which the workflow satisfies
by publishing `bashkit` first (30s index wait) then `bashkit-cli`
- ✅ Version sync: all manifests read `0.8.0`; crates.io latest is
`0.7.2`, so `0.8.0` is a strict increment on every registry (npm/PyPI
versions are derived from the same pipeline)
Notes: in this sandbox the `rg` differential case and
`ssh_supabase_connects` test initially failed only because of
environment (preinstalled ripgrep 14.1.0 vs CI's pinned 15.1.0, and no
egress to the external `supabase.sh` SSH host); both are environmental,
not code regressions.
---
_Generated by [Claude
Code](https://claude.ai/code/session_01URKhGRWFuMgjHQR1YhyNHN)_
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
ensure_persistent_fd_capacitytreatedfd <= 2as exempt, which incorrectly allowed negative fd values from brace-var redirections to create unbounded entries.max_file_descriptorsand exhaust memory by inserting many distinct negative keys for coproc buffers or exec fd table.Description
fd < 0inensure_persistent_fd_capacity.0..=2so only real standard descriptors are exempt.fd_limit_rejects_negative_fd_var_outputandfd_limit_rejects_negative_fd_var_inputto verifyv=-1; exec {v}>...andv=-1; exec {v}<...fail and do not bypass the limit.Testing
cargo test -p bashkit fd_limit_rejects_negative_fd_var -- --nocapturewhich compiled and executed the added tests.fd_limit_rejects_negative_fd_var_outputandfd_limit_rejects_negative_fd_var_input) passed.Codex Task